Class Wss4jSecurityInterceptor

All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, ClientInterceptor, EndpointInterceptor, SoapEndpointInterceptor

public class Wss4jSecurityInterceptor extends AbstractWsSecurityInterceptor implements org.springframework.beans.factory.InitializingBean
A WS-Security endpoint interceptor based on Apache's WSS4J. This interceptor supports messages created by the and the SaajSoapMessageFactory.

The validation and securement actions executed by this interceptor are configured via validationActions and securementActions properties, respectively. Actions should be passed as a space-separated strings.

Valid validation actions are:

Validation action Description
UsernameToken Validates username token
Timestamp Validates the timestamp
Encrypt Decrypts the message
Signature Validates the signature
NoSecurity No action performed

Securement actions are:

Securement action Description
UsernameToken Adds a username token
UsernameTokenSignature Adds a username token and a signature username token secret key
Timestamp Adds a timestamp
Encrypt Encrypts the response
Signature Signs the response
NoSecurity No action performed

The order of the actions that the client performed to secure the messages is significant and is enforced by the interceptor.

Tareq Abed Rabbo, Arjen Poutsma, Greg Turnquist, Jamin Hitchcock
See Also:
  • Field Details

  • Constructor Details

    • Wss4jSecurityInterceptor

      public Wss4jSecurityInterceptor()
      Create a WSSecurityEngine by default.
    • Wss4jSecurityInterceptor

      public Wss4jSecurityInterceptor(org.apache.wss4j.dom.engine.WSSecurityEngine securityEngine)
      Inject a customize WSSecurityEngine.
      securityEngine -
  • Method Details

    • setSecurementActions

      public void setSecurementActions(String securementActions)
    • setSecurementActor

      public void setSecurementActor(String securementActor)
      The actor name of the wsse:Security header.

      If this parameter is omitted, the actor name is not set.

      The value of the actor or role has to match the receiver's setting or may contain standard values.

    • setSecurementEncryptionCrypto

      public void setSecurementEncryptionCrypto(org.apache.wss4j.common.crypto.Crypto securementEncryptionCrypto)
    • setSecurementEncryptionKeyIdentifier

      public void setSecurementEncryptionKeyIdentifier(String securementEncryptionKeyIdentifier)
      Defines which key identifier type to use. The WS-Security specifications recommends to use the identifier type IssuerSerial. For possible encryption key identifier types refer to For encryption IssuerSerial, X509KeyIdentifier, DirectReference, Thumbprint, SKIKeyIdentifier, and EmbeddedKeyName are valid only.
    • setSecurementEncryptionKeyTransportAlgorithm

      public void setSecurementEncryptionKeyTransportAlgorithm(String securementEncryptionKeyTransportAlgorithm)
      Defines which algorithm to use to encrypt the generated symmetric key. Currently WSS4J supports WSS4JConstants.KEYTRANSPORT_RSA15 and WSConstants#KEYTRANSPORT_RSAOEP.
    • setSecurementEncryptionParts

      public void setSecurementEncryptionParts(String securementEncryptionParts)
      Property to define which parts of the request shall be encrypted.

      The value of this property is a list of semicolon separated element names that identify the elements to encrypt. An encryption mode specifier and a namespace identification, each inside a pair of curly brackets, may precede each element name.

      The encryption mode specifier is either {Content} or {Element}. Please refer to the W3C XML Encryption specification about the differences between Element and Content encryption. The encryption mode defaults to Content if it is omitted. Example of a list:

       <property name="securementEncryptionParts"
                                 {Element}{}UserName" />
      The first entry of the list identifies the element CreditCard in the namespace, and will encrypt its content. Be aware that the element name, the namespace identifier, and the encryption modifier are case sensitive.

      The encryption modifier and the namespace identifier can be omitted. In this case the encryption mode defaults to Content and the namespace is set to the SOAP namespace.

      An empty encryption mode defaults to Content, an empty namespace identifier defaults to the SOAP namespace. The second line of the example defines Element as encryption mode for an UserName element in the SOAP namespace.

      To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

      If no list is specified, the handler encrypts the SOAP Body in Content mode by default.

    • setSecurementEncryptionSymAlgorithm

      public void setSecurementEncryptionSymAlgorithm(String securementEncryptionSymAlgorithm)
      Defines which symmetric encryption algorithm to use. WSS4J supports the following alorithms: WSS4JConstants.TRIPLE_DES, WSS4JConstants.AES_128, WSS4JConstants.AES_256, and WSS4JConstants.AES_192. Except for AES 192 all of these algorithms are required by the XML Encryption specification.
    • setSecurementEncryptionUser

      public void setSecurementEncryptionUser(String securementEncryptionUser)
      The user's name for encryption.

      The encryption functions uses the public key of this user's certificate to encrypt the generated symmetric key.

      If this parameter is not set, then the encryption function falls back to the parameter to get the certificate.

      If only encryption of the SOAP body data is requested, it is recommended to use this parameter to define the username. The application can then use the standard user and password functions (see example at to enable HTTP authentication functions.

      Encryption only does not authenticate a user / sender, therefore it does not need a password.

      Placing the username of the encryption certificate in the configuration file is not a security risk, because the public key of that certificate is used only.

    • setSecurementPassword

      public void setSecurementPassword(String securementPassword)
    • setSecurementPasswordType

      public void setSecurementPasswordType(String securementUsernameTokenPasswordType)
      Specific parameter for UsernameToken action to define the encoding of the passowrd.

      The parameter can be set to either WSS4JConstants.PW_DIGEST or to WSS4JConstants.PW_TEXT.

      The default setting is PW_DIGEST.

    • setSecurementSignatureAlgorithm

      public void setSecurementSignatureAlgorithm(String securementSignatureAlgorithm)
      Defines which signature algorithm to use.
      See Also:
      • WSS4JConstants.RSA
      • WSS4JConstants.DSA
    • setSecurementSignatureDigestAlgorithm

      public void setSecurementSignatureDigestAlgorithm(String digestAlgorithm)
      Defines which signature digest algorithm to use.
    • setSecurementSignatureCrypto

      public void setSecurementSignatureCrypto(org.apache.wss4j.common.crypto.Crypto securementSignatureCrypto)
    • setSecurementSignatureKeyIdentifier

      public void setSecurementSignatureKeyIdentifier(String securementSignatureKeyIdentifier)
      Defines which key identifier type to use. The WS-Security specifications recommends to use the identifier type IssuerSerial. For possible signature key identifier types refer to For signature IssuerSerial and DirectReference are valid only.
    • setSecurementSignatureParts

      public void setSecurementSignatureParts(String securementSignatureParts)
      Property to define which parts of the request shall be signed.

      Refer to setSecurementEncryptionParts(String) for a detailed description of the format of the value string.

      If this property is not specified the handler signs the SOAP Body by default.

      The WS Security specifications define several formats to transfer the signature tokens (certificates) or references to these tokens. Thus, the plain element name Token signs the token and takes care of the different formats.

      To sign the SOAP body and the signature token the value of this parameter must contain:

       <property name="securementSignatureParts"
               value="{}{}Body; Token" />
      To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

      If there is no other element in the request with a local name of Body then the SOAP namespace identifier can be empty ({}).

    • setSecurementSignatureUser

      public void setSecurementSignatureUser(String securementSignatureUser)
      The user's name for signature.

      This name is used as the alias name in the keystore to get user's certificate and private key to perform signing.

      If this parameter is not set, then the signature function falls back to the alias specified by setSecurementUsername(String).

    • setSecurementUsername

      public void setSecurementUsername(String securementUsername)
      Sets the username for securement username token or/and the alias of the private key for securement signature
    • setSecurementTimeToLive

      public void setSecurementTimeToLive(int securementTimeToLive)
      Sets the time to live on the outgoing message
    • setSecurementUseDerivedKey

      public void setSecurementUseDerivedKey(boolean securementUseDerivedKey)
      Enables the derivation of keys as per the UsernameTokenProfile 1.1 spec. Default is true.
    • setSecurementSamlCallbackHandler

      public void setSecurementSamlCallbackHandler(CallbackHandler samlCallbackHandler)
      Sets the SAML Callback used for generating SAML tokens.
      samlCallback -
    • setValidationTimeToLive

      public void setValidationTimeToLive(int validationTimeToLive)
      Sets the server-side time to live
    • setValidationActions

      public void setValidationActions(String actions)
      Sets the validation actions to be executed by the interceptor.
    • setValidationActor

      public void setValidationActor(String validationActor)
    • setValidationCallbackHandler

      public void setValidationCallbackHandler(CallbackHandler callbackHandler)
      Sets the handler to use when validating messages.
      See Also:
    • setValidationCallbackHandlers

      public void setValidationCallbackHandlers(CallbackHandler[] callbackHandler)
      Sets the handlers to use when validating messages.
      See Also:
    • setValidationDecryptionCrypto

      public void setValidationDecryptionCrypto(org.apache.wss4j.common.crypto.Crypto decryptionCrypto)
      Sets the Crypto to use to decrypt incoming messages
    • setValidationSignatureCrypto

      public void setValidationSignatureCrypto(org.apache.wss4j.common.crypto.Crypto signatureCrypto)
      Sets the Crypto to use to verify the signature of incoming messages
    • setEnableSignatureConfirmation

      public void setEnableSignatureConfirmation(boolean enableSignatureConfirmation)
      Whether to enable signatureConfirmation or not. By default signatureConfirmation is enabled
    • setTimestampPrecisionInMilliseconds

      public void setTimestampPrecisionInMilliseconds(boolean timestampPrecisionInMilliseconds)
      Sets if the generated timestamp header's precision is in milliseconds.
    • setTimestampStrict

      public void setTimestampStrict(boolean timestampStrict)
      Sets whether or not timestamp verification is done with the server-side time to live
    • setSecurementMustUnderstand

      public void setSecurementMustUnderstand(boolean securementMustUnderstand)
      Enables the mustUnderstand attribute on WS-Security headers on outgoing messages. Default is true.
    • setSecurementUsernameTokenNonce

      public void setSecurementUsernameTokenNonce(boolean securementUsernameTokenNonce)
      Sets whether or not a Nonce element is added to the UsernameTokens. Default is false.
    • setSecurementUsernameTokenCreated

      public void setSecurementUsernameTokenCreated(boolean securementUsernameTokenCreated)
      Sets whether or not a Created element is added to the UsernameTokens. Default is false.
    • setWssConfig

      public void setWssConfig(org.apache.wss4j.dom.engine.WSSConfig config)
      Sets the web service specification settings.

      The default settings follow the latest OASIS and changing anything might violate the OASIS specs.

      config - web service security configuration or null to use default settings
    • setEnableRevocation

      public void setEnableRevocation(boolean enableRevocation)
      Set whether to enable CRL checking or not when verifying trust in a certificate.
    • setBspCompliant

      public void setBspCompliant(boolean bspCompliant)
      Set the WS-I Basic Security Profile compliance mode. Default is true.
    • setAllowRSA15KeyTransportAlgorithm

      public void setAllowRSA15KeyTransportAlgorithm(boolean allow)
      Sets whether the RSA 1.5 key transport algorithm is allowed.
    • setFutureTimeToLive

      public void setFutureTimeToLive(int futureTimeToLive)
      Sets the time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default is 60 seconds.
    • getRemoveSecurityHeader

      public boolean getRemoveSecurityHeader()
    • setRemoveSecurityHeader

      public void setRemoveSecurityHeader(boolean removeSecurityHeader)
    • afterPropertiesSet

      public void afterPropertiesSet() throws Exception
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
    • secureMessage

      protected void secureMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecuritySecurementException
      Description copied from class: AbstractWsSecurityInterceptor
      Abstract template method. Subclasses are required to secure the response contained in the given SoapMessage, and replace the original response with the secured version.
      Specified by:
      secureMessage in class AbstractWsSecurityInterceptor
      soapMessage - the soap message to secure
      WsSecuritySecurementException - in case of securement errors
    • initializeRequestData

      protected org.apache.wss4j.dom.handler.RequestData initializeRequestData(MessageContext messageContext)
      Creates and initializes a request data for the given message context.
      messageContext - the message context
      the request data
    • initializeValidationRequestData

      protected org.apache.wss4j.dom.handler.RequestData initializeValidationRequestData(MessageContext messageContext)
      Creates and initializes a request data for the given message context.
      messageContext - the message context
      the request data
    • validateMessage

      protected void validateMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecurityValidationException
      Description copied from class: AbstractWsSecurityInterceptor
      Abstract template method. Subclasses are required to validate the request contained in the given SoapMessage, and replace the original request with the validated version.
      Specified by:
      validateMessage in class AbstractWsSecurityInterceptor
      soapMessage - the soap message to validate
      WsSecurityValidationException - in case of validation errors
    • checkResults

      protected void checkResults(List<org.apache.wss4j.dom.engine.WSSecurityEngineResult> results, List<Integer> validationActions) throws Wss4jSecurityValidationException
      Checks whether the received headers match the configured validation actions. Subclasses could override this method for custom verification behavior.
      results - the results of the validation function
      validationActions - the decoded validation actions
      Wss4jSecurityValidationException - if the results are deemed invalid
    • verifyCertificateTrust

      protected void verifyCertificateTrust(org.apache.wss4j.dom.handler.WSHandlerResult result) throws org.apache.wss4j.common.ext.WSSecurityException
      Verifies the trust of a certificate.
      result -
    • verifyTimestamp

      protected void verifyTimestamp(org.apache.wss4j.dom.handler.WSHandlerResult result) throws org.apache.wss4j.common.ext.WSSecurityException
      Verifies the timestamp.
      result -
    • cleanUp

      protected void cleanUp()
      Specified by:
      cleanUp in class AbstractWsSecurityInterceptor